EBIOS RM EBIOS Risk Manager.

EBIOS Risk Manager is ANSSI's cyber-risk method, focused on strategic attack scenarios. Maps business processes against attacker objectives, then derives the technical controls. Standard in French public-sector and operators of vital importance. Excellent for showing the board WHY a specific scenario matters; less common in private-sector multinational audits.

By Christophe Mazzola, Practicing CISO · Founder of Cyber AcademyRisk managementAll entries

The Cyber Academy take

EBIOS Risk Manager is ANSSI's cyber-risk method, focused on strategic attack scenarios. Maps business processes against attacker objectives, then derives the technical controls. Standard in French public-sector and operators of vital importance. Excellent for showing the board WHY a specific scenario matters; less common in private-sector multinational audits.

What EBIOS Risk Manager actually does

EBIOS Risk Manager is the cyber-risk assessment method maintained by ANSSI, the French national cybersecurity agency. Its defining move is to start from the attacker, not from a list of assets. Instead of cataloguing every server and asking what could go wrong with each one, the method asks who would want to harm the organisation, what they would be trying to achieve, and which business missions they would target to get there. The technical controls come last, derived from the scenarios, rather than being the starting point.

This reverse logic is what makes EBIOS RM useful in front of a board. A traditional bottom-up risk register produces hundreds of line items that mean little to executives. EBIOS RM produces a handful of strategic scenarios such as a state-sponsored actor disrupting a critical service, or a competitor exfiltrating design data, each tied to a concrete business mission. That framing answers the question executives actually ask: why does this specific threat matter to us, and what would it cost us if it happened.

The five workshops

EBIOS RM is structured as a sequence of workshops, each building on the previous one. The method is deliberately collaborative: it brings business owners, risk specialists, and security teams into the same room rather than leaving the analysis to a single analyst.

  1. Scope and security baseline. Define the business and technical perimeter, identify the missions and feared events, and assess the existing security baseline against what is expected.
  2. Risk origins. Identify the risk origins and their target objectives, the pairing of who might attack and what they want, then prioritise the most relevant ones.
  3. Strategic scenarios. Map the ecosystem of partners, suppliers, and stakeholders, assess how an attacker could reach the organisation through them, and build high-level attack paths.
  4. Operational scenarios. Translate the strategic scenarios into concrete technical attack sequences, describing how an adversary would actually move through systems.
  5. Risk treatment. Decide on the security measures, build the treatment plan, and document the residual risk that leadership formally accepts.

Where it fits, and where it does not

EBIOS RM is the standard method in the French public sector and among operators of vital importance, where regulatory expectations point toward ANSSI guidance. It is also widely taught and used across French-speaking organisations. Outside that context, in private-sector multinational audits, you are far more likely to encounter ISO 27005, which is the international standard for information security risk management and is method-agnostic by design.

The two are complementary rather than rival. ISO 27005 describes a generic risk management process aligned with ISO 27001 and ISO 31000 but does not prescribe a single technique. EBIOS RM is one concrete, recognised way to carry out that process, and ANSSI positions it as compatible with the ISO approach. A team can run EBIOS RM workshops and still report results in ISO 27005 terms.

EBIOS Risk Manager compared to ISO 27005
AspectEBIOS Risk ManagerISO 27005
OriginANSSI (France)ISO/IEC international standard
NaturePrescriptive method with defined workshopsMethod-agnostic risk management guidance
Starting pointAttacker objectives and business missionsAssets, threats, and vulnerabilities
Typical contextFrench public sector, operators of vital importanceInternational, private-sector ISMS audits

In practice, knowing EBIOS RM signals fluency with the ANSSI ecosystem, and knowing ISO 27005 signals fluency with the international standards world. Risk practitioners working across European and French markets are well served by understanding both, because the method you reach for depends on who is reading the report.

Frequently asked questions

01Who publishes and maintains EBIOS Risk Manager?

EBIOS Risk Manager is published and maintained by ANSSI, the French national cybersecurity agency. It is the current edition of the EBIOS method and is made available as official guidance for organisations assessing cyber risk.

02How is EBIOS RM different from ISO 27005?

EBIOS RM is a specific, workshop-driven method that starts from attacker objectives and business missions. ISO 27005 is a method-agnostic international standard for information security risk management. EBIOS RM can be used as one concrete way to carry out an ISO 27005-aligned process; they are complementary, not competing.

03What are the five EBIOS RM workshops?

The method runs as five sequential workshops: scope and security baseline, risk origins, strategic scenarios, operational scenarios, and risk treatment. Each builds on the previous one, moving from business framing to concrete technical scenarios and finally to a treatment plan.

04When should an organisation choose EBIOS RM?

EBIOS RM is well suited when you need to explain to leadership why a specific attack scenario matters, and when you operate in the French public sector or as an operator of vital importance where ANSSI guidance is expected. For international private-sector audits, ISO 27005 is more commonly requested.

05Is EBIOS RM a certification?

No. EBIOS RM is a risk assessment method, not a certification scheme. Practitioners can train in applying the method, but organisations are not certified against EBIOS RM the way they certify an ISO 27001 management system.

Need more than a definition?

Book a free 20-minute discovery call. We map the cohort that turns this term into an audit-ready practice.